Fortinet SSL VPN interface limitations

Last modified date

Comments: 0

There seem to be some interface related limitations with the SSL VPN implementation on Fortinet’s FortiGate firewall devices which prevent you from connecting to the Fortinet SSL VPN on the IP address of an interface other than the one which your traffic enters the firewall on.

In other words, even with the appropriate rules configured in the firewall policy to allow your traffic to pass through the FortiGate between the interface that it is received on and the interface which that SSL VPN traffic is destined for, the FortiGate unit doesn’t respond.

I have been able to verify that this bug/feature is present in the latest build of FortiOS 3.0, but haven’t been able to test with any of the FortiOS 4.0 releases yet.

In my case, this was a problem because the WAN interface has a private IP address on it with a block of public IP addresses routed to the unit and in use on the LAN interface. In the end I worked around this by routing a single additional public address to the unit and configuring it as a secondary address on the WAN interface with a /32 subnet mask. The SSL VPN could then be accessed from this public IP address.


Leave a Reply